nextcloud/user_saml

Invalid usernames allowed

fetimo opened this issue · 0 comments

fetimo commented

Steps to reproduce

  1. Setup SAML with Auth0 (or another IdP with different username requirements to Nextcloud)
  2. Login to Nextcloud
  3. Use an app assuming a standard Nextcloud username e.g. Talk

Expected behaviour

The SSO & SAML app should convert usernames into a format compatible with Nextcloud or include a warning. Or perhaps a lookup table from the original username to a Nextcloud version?

Actual behaviour

The SSO & SAML app allows invalid usernames. This has a knock-on effect on other apps (see nextcloud/server#40016) that assume a username looks like a valid Nextcloud username.

Server configuration

Operating system: Linux 5.4

Database: 10.5

PHP version: 8.1.19

Nextcloud version: 25.0.7 Enterprise

SSO & SAML app version: 5.2.1